Risk Management is going to be a mandatory requirement for all ISO standards. Until now, risk management was a requirement of CMMI Level III and above, and ISO 27001. In ISO 9001:2008, risk management is not a standard requirement. But with the upcoming edition of ISO 9001 in the year 2015, risk-based thinking will be an approach of the standard. This is a more proactive approach. The organization and its functions have to act proactively and identify risks and issues in all their projects/processes.
What is a Reactive Approach?
Before moving towards a Proactive approach, let’s see what a reactive approach is.
What is a Risk?
Risk is an effect of uncertainty on organization’s objectives. All the activities of an organization involve risks.
Risk Management- It is a set of coordinated activities to direct and control an organization with regard to risk.
Risk Management in CMMI Level III:
CMMI v1.3 Model says that risk management is a continuous, forward-looking process that is an important part of project management. Risk management should address issues that could endanger achievement of critical objectives.
There are different types of risks like technical, non-technical, sources of cost, schedule, performance, etc. If the risks are identified and managed at an early stage, it is comparatively easier, less costly, and less disruptive to make changes.
Risk Management parameters-
- Defining a risk management strategy
- Identifying and analyzing risks
- Handling identified risks, including the implementation of risk mitigation plans as needed
Risk Management Process Area in CMMI v1.3 level III expects to systematically plan, anticipate, and mitigate risks to proactively minimize their impact on the project.
Steps for risk management- Specific Goals (SG) defined in CMMI for Risk Management:
Risk Management in ISO 27001:2013-
In ISO 27001:2013, risk management is asset-based. You have to identify all types of assets in the organization and classify them as hardware assets, software assets, documented information, tools, etc.
ISO 27001:2013 asks for a Risk Management Framework. It is a set of components for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization.
Simple steps of Risk Management Framework are shown below:
ISO 27001:2013 also asks for the identification of issues in the assets as risks. E.g. if there is an issue of restricted access control of any asset and it cannot be resolved, then it should be identified as a risk. Or if procurement of a very important asset is going to be delayed, then it should be identified as a risk.
P-D-C-A for Risk Management process:
“C”- Review of risks:
Identification and treatment of risks is not the end of the process. As all the Quality Management Standards are based on the basic principle of Plan-Do-Check-Act (PDCA), risk review is under “C” part of the process.
One should review the risks with a defined frequency. There may be some addition or deletion of assets, initiation of new risks and issues, or risk rating might be decreased due to actions taken. So risks should be reviewed regularly and the risk management plan should be updated accordingly.
Thus Risk Management process is a proactive approach in any project or process management for smooth functioning.